Vendor Due Diligence Questionnaire
VENDOR DUE DILIGENCE QUESTIONNAIRE
Issuing Organization: [________________________________]
Date Issued: [__/__/____]
Due Date for Completion: [__/__/____]
Vendor Risk Tier: ☐ Critical | ☐ High | ☐ Medium | ☐ Low
TABLE OF CONTENTS
- Instructions and Scope
- Vendor Profile and Ownership
- Sanctions, PEP, and Adverse Media Screening
- Services, Data, and Locations
- Information Security Controls
- Privacy and Data Subject Rights
- Subprocessors and Fourth Parties
- Incident Response and Breach History
- Business Continuity and Disaster Recovery
- Certifications, Audits, and Testing
- Insurance Coverage
- Legal and Regulatory Matters
- Financial Viability
- ESG, Ethics, and Anti-Corruption
- Required Artifacts Checklist
- Attestation and Signoff
1. INSTRUCTIONS AND SCOPE
1.1 Purpose
This Vendor Due Diligence Questionnaire ("VDQ") is designed to evaluate the risk posture of prospective and existing vendors, service providers, and third parties in accordance with federal regulatory guidance, including OCC Bulletin 2023-17 (Third-Party Risk Management), FFIEC IT Examination Handbook guidance on outsourcing, and CFPB Bulletin 2012-03 (Service Provider Oversight). Responses will inform risk tiering, contracting requirements, and ongoing monitoring.
1.2 Completion Instructions
- Complete all sections; enter "N/A" with a brief explanation where a question does not apply.
- Attach all requested evidence and supporting documentation.
- Responses must reflect the vendor's actual, current controls and practices.
- Critical-tier and High-tier vendors must provide independent evidence (e.g., SOC 2 reports, penetration test summaries, certifications).
- If the vendor has acquired, merged with, or been acquired by another entity within the past 24 months, provide details in Section 12.
1.3 Confidentiality
All information provided in this questionnaire will be treated as confidential and used solely for due diligence and risk management purposes.
2. VENDOR PROFILE AND OWNERSHIP
2.1 Corporate Information
| Field | Response |
|---|---|
| Legal Entity Name | [________________________________] |
| Doing Business As (DBA) | [________________________________] |
| Date of Incorporation/Formation | [__/__/____] |
| Jurisdiction of Incorporation | [________________________________] |
| Principal Business Address | [________________________________] |
| Website | [________________________________] |
| Tax Identification Number (EIN) | [________________________________] |
| DUNS Number (if applicable) | [________________________________] |
| Entity Type | ☐ Corporation ☐ LLC ☐ Partnership ☐ Sole Proprietorship ☐ Other: [____] |
2.2 Ownership Structure
| Field | Response |
|---|---|
| Ultimate Parent Company | [________________________________] |
| Parent Company Jurisdiction | [________________________________] |
| Is the vendor publicly traded? | ☐ Yes ☐ No |
| If yes, stock exchange and ticker | [________________________________] |
Beneficial Owners (10% or greater ownership interest):
| Name | Title/Role | Ownership Percentage | Country of Residence |
|---|---|---|---|
| [________________________________] | [________________] | [____]% | [________________] |
| [________________________________] | [________________] | [____]% | [________________] |
| [________________________________] | [________________] | [____]% | [________________] |
2.3 Key Contacts
| Role | Name | Phone | |
|---|---|---|---|
| Primary Business Contact | [________________] | [________________] | [________________] |
| Information Security Lead | [________________] | [________________] | [________________] |
| Privacy Officer/DPO | [________________] | [________________] | [________________] |
| Incident Response Contact | [________________] | [________________] | [________________] |
| Billing/Finance Contact | [________________] | [________________] | [________________] |
3. SANCTIONS, PEP, AND ADVERSE MEDIA SCREENING
3.1 Sanctions Screening
☐ Vendor confirms that it, its owners, officers, and directors have been screened against the following sanctions lists:
| Sanctions List | Screened | Match Found |
|---|---|---|
| OFAC Specially Designated Nationals (SDN) | ☐ Yes ☐ No | ☐ Yes ☐ No |
| OFAC Consolidated Sanctions List | ☐ Yes ☐ No | ☐ Yes ☐ No |
| UN Security Council Consolidated List | ☐ Yes ☐ No | ☐ Yes ☐ No |
| EU Consolidated Financial Sanctions List | ☐ Yes ☐ No | ☐ Yes ☐ No |
| UK HM Treasury Sanctions List | ☐ Yes ☐ No | ☐ Yes ☐ No |
| Other applicable local lists | ☐ Yes ☐ No | ☐ Yes ☐ No |
3.2 Politically Exposed Persons (PEP)
Do any beneficial owners, officers, or directors qualify as a Politically Exposed Person?
☐ Yes ☐ No
If yes, provide details: [________________________________]
3.3 Adverse Media
Has the vendor or any of its officers, directors, or beneficial owners been the subject of adverse media coverage, regulatory enforcement actions, criminal proceedings, or civil settlements within the past five (5) years?
☐ Yes ☐ No
If yes, provide details and describe remediation steps taken:
[________________________________]
4. SERVICES, DATA, AND LOCATIONS
4.1 Services Description
| Field | Response |
|---|---|
| Description of services to be provided | [________________________________] |
| Criticality to our operations | ☐ Critical ☐ High ☐ Medium ☐ Low |
| Will the vendor interact with our customers? | ☐ Yes ☐ No |
| Will the vendor have access to our systems? | ☐ Yes ☐ No |
| Type of access | ☐ Read-only ☐ Read/Write ☐ Administrative ☐ N/A |
4.2 Data Categories Handled
☐ Personally Identifiable Information (PII)
☐ Protected Health Information (PHI)
☐ Payment Card Industry Data (PCI)
☐ Financial account data
☐ Social Security Numbers
☐ Biometric data
☐ Children's data (under 13)
☐ Sensitive personal information (as defined by state privacy laws)
☐ Trade secrets or confidential business information
☐ Employee data
☐ Authentication credentials
☐ Other regulated data: [________________________________]
Estimated volume of records: ☐ <1,000 ☐ 1,000–10,000 ☐ 10,000–100,000 ☐ 100,000–1M ☐ >1M
4.3 Data Processing and Storage Locations
| Location (City, State/Country) | Type of Activity | Data Categories |
|---|---|---|
| [________________________________] | ☐ Processing ☐ Storage ☐ Both | [________________] |
| [________________________________] | ☐ Processing ☐ Storage ☐ Both | [________________] |
| [________________________________] | ☐ Processing ☐ Storage ☐ Both | [________________] |
4.4 Cross-Border Transfers
Will data be transferred outside the United States? ☐ Yes ☐ No
If yes, describe transfer mechanisms in use:
☐ Standard Contractual Clauses (SCCs)
☐ UK International Data Transfer Agreement (IDTA)
☐ Binding Corporate Rules (BCRs)
☐ Consent
☐ Other: [________________________________]
5. INFORMATION SECURITY CONTROLS
5.1 Access Controls
| # | Control Area | Response | Details |
|---|---|---|---|
| 5.1.1 | Is multi-factor authentication (MFA) required for all remote access? | ☐ Yes ☐ No | [________________] |
| 5.1.2 | Is MFA required for access to systems processing our data? | ☐ Yes ☐ No | [________________] |
| 5.1.3 | Is role-based access control (RBAC) implemented? | ☐ Yes ☐ No | [________________] |
| 5.1.4 | Is the principle of least privilege enforced? | ☐ Yes ☐ No ☐ Partial | [________________] |
| 5.1.5 | Are access rights reviewed periodically? | ☐ Yes ☐ No | Frequency: [____] |
| 5.1.6 | Is access terminated within 24 hours of employee departure? | ☐ Yes ☐ No | SLA: [____] |
| 5.1.7 | Is privileged access managed and monitored separately? | ☐ Yes ☐ No ☐ Partial | [________________] |
5.2 Encryption and Key Management
| # | Control Area | Response | Details |
|---|---|---|---|
| 5.2.1 | Is data encrypted at rest? | ☐ Yes ☐ No | Algorithm: [____] |
| 5.2.2 | Is data encrypted in transit? | ☐ Yes ☐ No | Protocol: [____] |
| 5.2.3 | Are encryption keys managed separately from encrypted data? | ☐ Yes ☐ No | [________________] |
| 5.2.4 | Is a formal key management program documented? | ☐ Yes ☐ No | [________________] |
5.3 Network and Infrastructure Security
| # | Control Area | Response | Details |
|---|---|---|---|
| 5.3.1 | Are firewalls implemented and maintained? | ☐ Yes ☐ No | [________________] |
| 5.3.2 | Is intrusion detection/prevention (IDS/IPS) deployed? | ☐ Yes ☐ No | [________________] |
| 5.3.3 | Is network segmentation implemented? | ☐ Yes ☐ No | [________________] |
| 5.3.4 | Are systems hardened to security baselines (CIS, DISA STIG)? | ☐ Yes ☐ No ☐ Partial | [________________] |
| 5.3.5 | Is there a patch management program? | ☐ Yes ☐ No | SLA: [____] |
| 5.3.6 | Are vulnerability scans conducted regularly? | ☐ Yes ☐ No | Frequency: [____] |
5.4 Endpoint and Physical Security
| # | Control Area | Response | Details |
|---|---|---|---|
| 5.4.1 | Is endpoint detection and response (EDR) deployed? | ☐ Yes ☐ No | Product: [____] |
| 5.4.2 | Are endpoints encrypted (full disk)? | ☐ Yes ☐ No | [________________] |
| 5.4.3 | Is mobile device management (MDM) implemented? | ☐ Yes ☐ No ☐ N/A | [________________] |
| 5.4.4 | Are physical access controls in place at data center facilities? | ☐ Yes ☐ No | [________________] |
| 5.4.5 | Is video surveillance maintained? | ☐ Yes ☐ No | [________________] |
5.5 Logging and Monitoring
| # | Control Area | Response | Details |
|---|---|---|---|
| 5.5.1 | Are security events centrally logged and monitored? | ☐ Yes ☐ No | SIEM: [____] |
| 5.5.2 | Are logs retained for a minimum of 12 months? | ☐ Yes ☐ No | Retention: [____] |
| 5.5.3 | Is a Security Operations Center (SOC) maintained? | ☐ Yes ☐ No | ☐ In-house ☐ MSSP |
| 5.5.4 | Are alerts triaged and investigated with documented SLAs? | ☐ Yes ☐ No | [________________] |
5.6 Secure Development Lifecycle (SDLC)
| # | Control Area | Response | Details |
|---|---|---|---|
| 5.6.1 | Is a secure SDLC methodology followed? | ☐ Yes ☐ No ☐ N/A | [________________] |
| 5.6.2 | Are static/dynamic application security tests (SAST/DAST) performed? | ☐ Yes ☐ No ☐ N/A | [________________] |
| 5.6.3 | Is code review performed before deployment? | ☐ Yes ☐ No ☐ N/A | [________________] |
6. PRIVACY AND DATA SUBJECT RIGHTS
6.1 Privacy Program
| # | Control Area | Response | Details |
|---|---|---|---|
| 6.1.1 | Is there a designated privacy officer or DPO? | ☐ Yes ☐ No | Name: [________________] |
| 6.1.2 | Is there a written privacy policy? | ☐ Yes ☐ No | [________________] |
| 6.1.3 | Are privacy impact assessments conducted for high-risk processing? | ☐ Yes ☐ No | [________________] |
| 6.1.4 | Is privacy training provided to employees? | ☐ Yes ☐ No | Frequency: [____] |
6.2 Data Handling Practices
| # | Control Area | Response | Details |
|---|---|---|---|
| 6.2.1 | Are data minimization principles followed? | ☐ Yes ☐ No | [________________] |
| 6.2.2 | Are data retention schedules documented? | ☐ Yes ☐ No | [________________] |
| 6.2.3 | Are secure deletion procedures in place? | ☐ Yes ☐ No | Method: [________________] |
| 6.2.4 | Can data be returned/transferred upon contract termination? | ☐ Yes ☐ No | Format: [________________] |
| 6.2.5 | Will the vendor certify deletion in writing? | ☐ Yes ☐ No | [________________] |
6.3 Consumer/Data Subject Rights Support
Can the vendor support the following rights requests within applicable statutory timelines?
| Right | Supported | Typical Response Time |
|---|---|---|
| Access/Know | ☐ Yes ☐ No | [____] days |
| Deletion | ☐ Yes ☐ No | [____] days |
| Correction/Rectification | ☐ Yes ☐ No | [____] days |
| Data Portability | ☐ Yes ☐ No | [____] days |
| Opt-Out of Sale/Sharing | ☐ Yes ☐ No | [____] days |
| Opt-Out of Targeted Advertising | ☐ Yes ☐ No | [____] days |
| Opt-Out of Profiling | ☐ Yes ☐ No | [____] days |
| Restrict Processing of Sensitive Data | ☐ Yes ☐ No | [____] days |
7. SUBPROCESSORS AND FOURTH PARTIES
7.1 Subprocessor Inventory
Does the vendor use subprocessors or subcontractors to perform the services? ☐ Yes ☐ No
If yes, list all subprocessors that will access, process, or store our data:
| Subprocessor Name | Services Provided | Location | Data Types Accessed |
|---|---|---|---|
| [________________________________] | [________________] | [________________] | [________________] |
| [________________________________] | [________________] | [________________] | [________________] |
| [________________________________] | [________________] | [________________] | [________________] |
7.2 Subprocessor Oversight
| # | Control Area | Response |
|---|---|---|
| 7.2.1 | Are subprocessors subject to due diligence before engagement? | ☐ Yes ☐ No |
| 7.2.2 | Are subprocessor agreements in place with equivalent data protection terms? | ☐ Yes ☐ No |
| 7.2.3 | Will we be notified before new subprocessors are engaged? | ☐ Yes ☐ No |
| 7.2.4 | Do we have the right to object to new subprocessors? | ☐ Yes ☐ No |
| 7.2.5 | Notice period for subprocessor changes | [____] days |
8. INCIDENT RESPONSE AND BREACH HISTORY
8.1 Incident Response Program
| # | Control Area | Response | Details |
|---|---|---|---|
| 8.1.1 | Is there a documented incident response plan? | ☐ Yes ☐ No | [________________] |
| 8.1.2 | Is 24/7 incident response capability maintained? | ☐ Yes ☐ No | [________________] |
| 8.1.3 | Customer breach notification SLA | [____] hours | [________________] |
| 8.1.4 | Is the incident response plan tested annually? | ☐ Yes ☐ No | Last test: [__/__/____] |
| 8.1.5 | Does the vendor retain a forensics firm on retainer? | ☐ Yes ☐ No | Firm: [________________] |
8.2 Breach History (Last 3 Years)
Has the vendor experienced any data breaches, security incidents, or regulatory investigations in the past three (3) years? ☐ Yes ☐ No
If yes, provide details:
| Date | Nature of Incident | Data Impacted | Number of Records | Remediation Taken |
|---|---|---|---|---|
| [__/__/____] | [________________] | [________________] | [________________] | [________________] |
| [__/__/____] | [________________] | [________________] | [________________] | [________________] |
9. BUSINESS CONTINUITY AND DISASTER RECOVERY
| # | Control Area | Response | Details |
|---|---|---|---|
| 9.1 | Is there a documented business continuity plan (BCP)? | ☐ Yes ☐ No | [________________] |
| 9.2 | Is there a documented disaster recovery plan (DRP)? | ☐ Yes ☐ No | [________________] |
| 9.3 | Recovery Time Objective (RTO) | [____] hours | [________________] |
| 9.4 | Recovery Point Objective (RPO) | [____] hours | [________________] |
| 9.5 | Are regular backups performed? | ☐ Yes ☐ No | Frequency: [____] |
| 9.6 | Are backups stored in a separate location? | ☐ Yes ☐ No | [________________] |
| 9.7 | Are backup restorations tested? | ☐ Yes ☐ No | Frequency: [____] |
| 9.8 | Is the DRP tested at least annually? | ☐ Yes ☐ No | Last test: [__/__/____] |
| 9.9 | Are there single points of failure identified and mitigated? | ☐ Yes ☐ No | [________________] |
| 9.10 | Is there a pandemic/geographic disruption plan? | ☐ Yes ☐ No | [________________] |
10. CERTIFICATIONS, AUDITS, AND TESTING
10.1 Current Certifications
| Certification | Maintained | Scope Covers Our Services | Expiration Date |
|---|---|---|---|
| SOC 2 Type II | ☐ Yes ☐ No | ☐ Yes ☐ No | [__/__/____] |
| SOC 1 Type II | ☐ Yes ☐ No | ☐ Yes ☐ No | [__/__/____] |
| ISO 27001:2022 | ☐ Yes ☐ No | ☐ Yes ☐ No | [__/__/____] |
| HITRUST CSF | ☐ Yes ☐ No | ☐ Yes ☐ No | [__/__/____] |
| PCI DSS | ☐ Yes ☐ No | ☐ Yes ☐ No | [__/__/____] |
| FedRAMP | ☐ Yes ☐ No | ☐ Yes ☐ No | [__/__/____] |
| CSA STAR | ☐ Yes ☐ No | ☐ Yes ☐ No | [__/__/____] |
| Other: [________________] | ☐ Yes ☐ No | ☐ Yes ☐ No | [__/__/____] |
10.2 Audit Exceptions
Were any exceptions or qualifications noted in the most recent audit report? ☐ Yes ☐ No
If yes, describe exceptions and remediation status: [________________________________]
10.3 Penetration Testing
| Field | Response |
|---|---|
| Frequency of penetration testing | ☐ Annual ☐ Semi-Annual ☐ Quarterly ☐ Other: [____] |
| Date of last penetration test | [__/__/____] |
| Were critical or high findings identified? | ☐ Yes ☐ No |
| Have all critical/high findings been remediated? | ☐ Yes ☐ No ☐ In Progress |
| Will you share a summary report? | ☐ Yes ☐ No |
11. INSURANCE COVERAGE
| Coverage Type | Carrier | Limit | Expiration |
|---|---|---|---|
| Cyber/Technology E&O | [________________] | $[________________] | [__/__/____] |
| General Liability | [________________] | $[________________] | [__/__/____] |
| Professional Liability/E&O | [________________] | $[________________] | [__/__/____] |
| Crime/Fidelity | [________________] | $[________________] | [__/__/____] |
| Workers' Compensation | [________________] | $[________________] | [__/__/____] |
12. LEGAL AND REGULATORY MATTERS
12.1 Licenses and Registrations
| # | Question | Response |
|---|---|---|
| 12.1.1 | Does the vendor hold all licenses required to perform the services? | ☐ Yes ☐ No ☐ N/A |
| 12.1.2 | List applicable licenses | [________________________________] |
| 12.1.3 | Has the vendor been subject to any regulatory examination in the past 3 years? | ☐ Yes ☐ No |
| 12.1.4 | Are there any pending or resolved consent orders, settlements, or enforcement actions? | ☐ Yes ☐ No |
| 12.1.5 | Is there pending litigation related to the services to be provided? | ☐ Yes ☐ No |
If yes to any above, provide details: [________________________________]
12.2 Export Controls
| # | Question | Response |
|---|---|---|
| 12.2.1 | Are the vendor's products or services subject to U.S. export controls (EAR/ITAR)? | ☐ Yes ☐ No ☐ N/A |
| 12.2.2 | Is an export license required? | ☐ Yes ☐ No ☐ N/A |
12.3 Mergers and Acquisitions
Has the vendor undergone any merger, acquisition, or change of control in the past 24 months? ☐ Yes ☐ No
If yes, describe: [________________________________]
13. FINANCIAL VIABILITY
| # | Question | Response |
|---|---|---|
| 13.1 | Is the vendor willing to provide audited financial statements or a going-concern assessment? | ☐ Yes ☐ No |
| 13.2 | Has the vendor experienced any material adverse changes in the past 12 months? | ☐ Yes ☐ No |
| 13.3 | Revenue concentration: does any single client represent >25% of revenue? | ☐ Yes ☐ No |
| 13.4 | Has the vendor laid off more than 10% of staff in the past 12 months? | ☐ Yes ☐ No |
14. ESG, ETHICS, AND ANTI-CORRUPTION
| # | Control Area | Response |
|---|---|---|
| 14.1 | Is there a written code of conduct or ethics policy? | ☐ Yes ☐ No |
| 14.2 | Is there an anti-corruption/anti-bribery program? | ☐ Yes ☐ No |
| 14.3 | Is there a whistleblower/reporting hotline? | ☐ Yes ☐ No |
| 14.4 | Is there a modern slavery/forced labor policy? | ☐ Yes ☐ No |
| 14.5 | Is anti-corruption training provided to employees? | ☐ Yes ☐ No |
| 14.6 | Has the vendor been investigated for corruption or bribery? | ☐ Yes ☐ No |
15. REQUIRED ARTIFACTS CHECKLIST
Please provide the following documents with your completed questionnaire:
| # | Document | Provided | N/A |
|---|---|---|---|
| 15.1 | Information Security Policy | ☐ | ☐ |
| 15.2 | Privacy Policy | ☐ | ☐ |
| 15.3 | Incident Response Plan (summary) | ☐ | ☐ |
| 15.4 | Business Continuity/DR Plan (summary) | ☐ | ☐ |
| 15.5 | SOC 2 Type II Report (or bridge letter) | ☐ | ☐ |
| 15.6 | ISO 27001 Certificate | ☐ | ☐ |
| 15.7 | PCI DSS Attestation of Compliance | ☐ | ☐ |
| 15.8 | Penetration Test Summary Report | ☐ | ☐ |
| 15.9 | Subprocessor/Subcontractor List | ☐ | ☐ |
| 15.10 | Data Flow Diagram | ☐ | ☐ |
| 15.11 | Insurance Certificate(s) | ☐ | ☐ |
| 15.12 | Sample DPA / Security Addendum | ☐ | ☐ |
| 15.13 | Code of Conduct / Ethics Policy | ☐ | ☐ |
| 15.14 | Financial Statements (if requested) | ☐ | ☐ |
| 15.15 | DPIA / Privacy Impact Assessment (if available) | ☐ | ☐ |
16. ATTESTATION AND SIGNOFF
I, the undersigned, certify that the information provided in this questionnaire is true, complete, and accurate as of the date below. I understand that material misrepresentations may result in termination of the vendor relationship and potential legal liability. I commit to notifying the issuing organization within ten (10) business days of any material changes to the information provided herein.
Authorized Representative:
| Field | Information |
|---|---|
| Name | [________________________________] |
| Title | [________________________________] |
| [________________________________] | |
| Phone | [________________________________] |
| Signature | [________________________________] |
| Date | [__/__/____] |
SOURCES AND REFERENCES
- OCC Bulletin 2023-17, "Third-Party Relationships: Risk Management Guidance" (June 6, 2023)
- OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance" (Oct. 30, 2013)
- FFIEC IT Examination Handbook, "Outsourcing Technology Services" (June 2004; updated 2023)
- CFPB Bulletin 2012-03, "Service Providers" (Apr. 13, 2012)
- DOJ, "Evaluation of Corporate Compliance Programs" (rev. Mar. 2023)
- NIST SP 800-161 Rev. 1, "Cybersecurity Supply Chain Risk Management Practices" (May 2022)
- ISO/IEC 27001:2022, Information Security Management Systems
- NIST Cybersecurity Framework 2.0 (Feb. 2024), GV.SC Supply Chain Risk Management
This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026